package com.fansl.allround.common.security.component;

import com.fansl.allround.common.core.config.FilterIgnorePropertiesConfig;
import lombok.SneakyThrows;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.token.DefaultAccessTokenConverter;
import org.springframework.security.oauth2.provider.token.RemoteTokenServices;
import org.springframework.security.oauth2.provider.token.UserAuthenticationConverter;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.web.client.RestTemplate;

/**
 * @author fansl
 * @Description: 1. 支持remoteTokenServices 负载均衡
 * 2. 支持 获取用户全部信息
 * @date 2019/7/12 11:56
 */
@Slf4j
public class AllroundResourceServerConfigurerAdapter extends ResourceServerConfigurerAdapter {
    @Autowired
    protected ResourceAuthExceptionEntryPoint resourceAuthExceptionEntryPoint;
    @Autowired
    protected RemoteTokenServices remoteTokenServices;
    @Autowired
    private FilterIgnorePropertiesConfig ignorePropertiesConfig;
    @Autowired
    private AccessDeniedHandler accessDeniedHandler;
    @Autowired
    private RestTemplate restTemplate;
//    @Autowired
//    private AuthenticationManager manager;
//    @Autowired
//    private Oauth2AccessDecisionManager accessDecisionManager;
//    @Autowired
//    private Oauth2FilterInvocationSecurityMetadataSource securityMetadataSource;

    @Override
    @SneakyThrows
    public void configure(HttpSecurity httpSecurity) {

//        httpSecurity.addFilterAfter(createApiAuthenticationFilter(),FilterSecurityInterceptor.class);
        //允许使用iframe嵌套，避免swagger-ui不被加载的问题
        httpSecurity.headers().frameOptions().disable();

        //请求权限设置
        ExpressionUrlAuthorizationConfigurer<HttpSecurity>
                .ExpressionInterceptUrlRegistry registry = httpSecurity
                .authorizeRequests();
        //设置放行的url,permitAll()表示这个不需要验证
        ignorePropertiesConfig.getUrls()
                .forEach(url -> registry.antMatchers(url).permitAll());
        //其他需要经过认证
        registry.anyRequest().authenticated()
                .and().csrf().disable();
    }

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) {
        DefaultAccessTokenConverter accessTokenConverter = new DefaultAccessTokenConverter();
        UserAuthenticationConverter userTokenConverter = new AllroundUserAuthenticationConverter();
        accessTokenConverter.setUserTokenConverter(userTokenConverter);

        remoteTokenServices.setRestTemplate(restTemplate);
        remoteTokenServices.setAccessTokenConverter(accessTokenConverter);
        resources.authenticationEntryPoint(resourceAuthExceptionEntryPoint)
                .accessDeniedHandler(accessDeniedHandler)
                .tokenServices(remoteTokenServices);
    }

//    private Oauth2FilterSecurityInterceptor createApiAuthenticationFilter(){
//        Oauth2FilterSecurityInterceptor interceptor = new Oauth2FilterSecurityInterceptor();
//        interceptor.setAuthenticationManager(manager);
//        interceptor.setAccessDecisionManager(accessDecisionManager);
//        interceptor.setSecurityMetadataSource(securityMetadataSource);
//        return interceptor;
//    }
}
